[gnutls-devel] GnuTLS | Wrong CDP in certificate (#1126)

[Read-only notification of GnuTLS library development activities]

Thomas Karlsson created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1126



## Description of problem:
When signing a CSR, the CDP is copied from the signing CA's CDP. The CDP should be specified, if needed, in the template.
Copying of the signing CA's CDP is most of the time wrong, unless (which doesn't make sense) a CDP exists in the Root CA's certificate.

## Version of gnutls used:
The latest checkout on branch master

## How reproducible:

Steps to Reproduce:

*root-ca.cfg*

organization = "Initech"\
cn = "Initech Root CA"\
expiration_days = 700\
ca\
cert_signing_key\
crl_signing_key

*issuing-ca.cfg*

organization = "Initech"\
cn = "Initech CA"\
expiration_days = 350\
crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl" \
ca\
signing_key\
cert_signing_key\
crl_signing_key\
path_len = 0

*servercert.cfg*

organization = "Initech"\
cn = "test.example.com"\
expiration_days = 350\
crl_dist_points = "http://crl.initech.lan/Initech_CA.crl" \
tls_www_server\
key_agreement\
data_encipherment


certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem\
certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem\
certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem\
certtool --generate-request --load-privkey Initech_CA-key.pem --template issuing-ca.cfg --outfile Initech_CA-csr.pem\
certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template issuing-ca.cfg --outfile Initech_CA-cert.pem\
certtool --generate-privkey --sec-param medium --outfile test.initech.lan-key.pem\
certtool --generate-request --load-privkey test.initech.lan-key.pem --template servercert.cfg --outfile test.initech.lan-csr.pem\
certtool --generate-certificate --load-ca-privkey Initech_CA-key.pem --load-ca-certificate Initech_CA-cert.pem --load-request test.initech.lan-csr.pem --template servercert.cfg --outfile test.initech.lan-cert.pem

## Actual results:
CDP in server certificate points to Root CA's CRL

## Expected results:
CDP in server certificate points to the Issuing CA's specified CDP.

## Proposed fix
<code>
--- certtool.c.org	2020-11-26 23:16:24.415557527 +0100
+++ certtool.c	2020-11-26 23:19:09.234423551 +0100
@@ -781,10 +781,8 @@
 	/* always set CRL distribution points on CAs, but also on certificates
 	 * generated with --generate-self-signed. The latter is to retain
 	 * compatibility with previous versions of certtool. */
-	if (ca_status || (!proxy && ca_crt == NULL)) {
+	if (ca_status || (!proxy)) {
 		get_crl_dist_point_set(crt);
-	} else if (!proxy && ca_crt != NULL) {
-		gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);
 	}
 
 	*ret_key = key;
</code>

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1126
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201126/6b9cd0bd/attachment.html>